Threat Briefing: February 6, 2026

Recent threat activity shows a sharp rise in socially engineered attacks, including phishing, device compromise, and malicious advertising aimed at bypassing traditional defenses and stealing user credentials. Attackers are exploiting exposed credentials, unpatched vulnerabilities, and compromised executive devices to gain high-privilege access within minutes, often resulting in large-scale financial theft and operational disruption.

Trusted platforms such as cloud services, macOS environments, and SaaS tools like Dropbox are increasingly abused, making fraud harder to detect and enabling rapid lateral movement. For financial organizations, credential compromise and account takeover can quickly lead to monetary loss, regulatory scrutiny, and reputational damage. These trends highlight the urgent need for stronger identity controls, executive device hardening, rapid patching, and targeted user awareness training.

• Phishing Campaign Uses Fake Dropbox PDFs to Steal Credentials – Forcepoint reports a phishing campaign that uses deceptive PDF links to lure users to a fake Dropbox login page. The attack relies on spoofed internal emails and professional-looking documents, no malware required, to steal credentials and location data. The scheme raises the risk of account takeover and highlights the need to verify unexpected email requests. Dark Reading
• $40M Crypto Theft Tied to Compromised Executive Devices – Step Finance disclosed that attackers stole approximately $40 million in digital assets after compromising executive devices, enabling access to multiple treasury wallets. The company has engaged cybersecurity experts, recovered a small portion of funds, and paused certain operations while urging users to avoid the STEP token during the investigation. The incident highlights a growing wave of crypto theft and demonstrates how a single compromised executive device can bypass platform defenses, reinforcing the need for strong endpoint and identity security. Bleeping Computer
• Infostealer Campaigns Target macOS Through Fake Ads and Installers – Microsoft warns of a rise in macOS-focused infostealer attacks spread through malicious ads and social engineering tactics like ClickFix. Users are lured to counterfeit websites that deliver Python-based malware disguised as disk image installers. The malware steals web credentials and financial data, underscoring the need for stronger user awareness and proactive monitoring for suspicious activity. The Hacker News
• APT28 Exploits Microsoft Office Flaw Days After Patch Release – Zscaler ThreatLabz has uncovered “Operation Neusploit,” a malware campaign exploiting a newly patched Microsoft Office vulnerability (CVE-2026-21509) just days after disclosure. Attributed to Russian-linked APT28, the attack uses malicious RTF files to launch multi-stage infections targeting users in Central and Eastern Europe. The campaign deploys backdoors for email theft and persistent system access, reinforcing the urgent need for immediate patching and proactive threat monitoring. Hack Read
• Eight-Minute Cloud Breach Exposes Dangers of Leaked Credentials and AI Abuse – On November 28, 2025, an attacker gained full control of a company’s cloud environment in just eight minutes after finding exposed test credentials in a public S3 bucket. Using AI-assisted reconnaissance, the intruder escalated privileges through code injection and carried out “LLMjacking” to run expensive AI models, driving potential financial losses. The incident underscores the critical need for strong credential management, secure cloud configurations, and AI-aware security controls. Hack Read